RELEASE NOTES: JDK openjdk8u432

Notes generated: Mon Dec 09 05:06:59 CET 2024

JEPs

None.

RELEASE NOTES

core-libs/javax.naming

Issue Description
JDK-8290367

Update Default Value and Extend the Scope of com.sun.jndi.ldap.object.trustSerialData System Property


In this release, the JDK implementation of the LDAP provider no longer supports deserialization of Java objects by default:

  • The default value of the com.sun.jndi.ldap.object.trustSerialData system property has been updated to false.

  • The scope of the com.sun.jndi.ldap.object.trustSerialData system property has been extended to cover the reconstruction of RMI remote objects from the javaRemoteLocation LDAP attribute.

The transparent deserialization of Java objects from an LDAP context will now require an explicit opt-in. Applications that rely on reconstruction of Java objects or RMI stubs from the LDAP attributes would need to set the com.sun.jndi.ldap.object.trustSerialData system property to true.


core-libs/java.util.jar

Issue Description
JDK-8193682

Default JDK Compressor Will Be Closed when IOException Is Encountered


DeflaterOutputStream.close() and GZIPOutputStream.finish() methods have been modified to close out the associated default JDK compressor before propagating a Throwable up the stack. ZIPOutputStream.closeEntry() method has been modified to close out the associated default JDK compressor before propagating an IOException, not of type ZipException, up the stack.


security-libs/javax.net.ssl

Issue Description
JDK-8279164

Disabled TLS_ECDH Cipher Suites


The TLSECDH cipher suites have been disabled by default, by adding "ECDH" to the jdk.tls.disabledAlgorithms security property in the java.security configuration file. The TLSECDH cipher suites do not preserve forward-secrecy and are rarely used in practice. Note that some TLSECDH cipher suites were already disabled because they use algorithms that are disabled, such as 3DES and RC4. This action disables the rest. Any attempts to use cipher suites starting with "TLSECDH_" will fail with an SSLHandshakeException. Users can, at their own risk, re-enable these cipher suites by removing "ECDH" from the jdk.tls.disabledAlgorithms security property.

Please note that this change has no effect on the TLS_ECDHE cipher suites, which are still enabled by default.


JDK-8337664

Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024


The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.

TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.

An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:

` TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net `

If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Entrust Root certificates included in the JDK:

Root Certificates distrusted after 2024-11-11
Distinguished Name SHA-256 Fingerprint
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US

73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C

CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5

CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39

CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88

CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77

CN=AffirmTrust Commercial, O=AffirmTrust, C=US

03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7

CN=AffirmTrust Networking, O=AffirmTrust, C=US

0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B

CN=AffirmTrust Premium, O=AffirmTrust, C=US

70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A

CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US

BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.


JDK-8341059

Distrust TLS Server Certificates Anchored by Entrust Root Certificates and Issued After Nov 11, 2024


The JDK will stop trusting TLS server certificates issued after November 11, 2024 and anchored by Entrust root certificates, in line with similar plans recently announced by Google and Mozilla. The list of affected certificates includes certificates branded as AffirmTrust, which are managed by Entrust.

TLS server certificates issued on or before November 11, 2024 will continue to be trusted until they expire. Certificates issued after that date, and anchored by any of the Certificate Authorities in the table below, will be rejected.

The restrictions will be enforced in the JDK implementation (the SunJSSE Provider) of the Java Secure Socket Extension (JSSE) API. A TLS session will not be negotiated if the server's certificate chain is anchored by any of the Certificate Authorities in the table below and the certificate has been issued after November 11, 2024.

An application will receive an Exception with a message indicating the trust anchor is not trusted, for example:

` TLS server certificate issued after 2024-11-11 and anchored by a distrusted legacy Entrust root CA: CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net `

If necessary, and at your own risk, you can work around the restrictions by removing "ENTRUST_TLS" from the jdk.security.caDistrustPolicies security property in the java.security configuration file.

The restrictions are imposed on the following Entrust Root certificates included in the JDK:

Root Certificates distrusted after 2024-11-11
Distinguished Name SHA-256 Fingerprint
CN=Entrust Root Certification Authority, OU=(c) 2006 Entrust, Inc., OU=www.entrust.net/CPS is incorporated by reference, O=Entrust, Inc., C=US

73:C1:76:43:4F:1B:C6:D5:AD:F4:5B:0E:76:E7:27:28:7C:8D:E5:76:16:C1:E6:E6:14:1A:2B:2C:BC:7D:8E:4C

CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

02:ED:0E:B2:8C:14:DA:45:16:5C:56:67:91:70:0D:64:51:D7:FB:56:F0:B2:AB:1D:3B:8E:B0:70:E5:6E:DF:F5

CN=Entrust Root Certification Authority - G2, OU=(c) 2009 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

43:DF:57:74:B0:3E:7F:EF:5F:E4:0D:93:1A:7B:ED:F1:BB:2E:6B:42:73:8C:4E:6D:38:41:10:3D:3A:A7:F3:39

CN=Entrust Root Certification Authority - G4, OU=(c) 2015 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US

DB:35:17:D1:F6:73:2A:2D:5A:B9:7C:53:3E:C7:07:79:EE:32:70:A6:2F:B4:AC:42:38:37:24:60:E6:F0:1E:88

CN=Entrust.net Certification Authority (2048), OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), O=Entrust.net

6D:C4:71:72:E0:1C:BC:B0:BF:62:58:0D:89:5F:E2:B8:AC:9A:D4:F8:73:80:1E:0C:10:B9:C8:37:D2:1E:B1:77

CN=AffirmTrust Commercial, O=AffirmTrust, C=US

03:76:AB:1D:54:C5:F9:80:3C:E4:B2:E2:01:A0:EE:7E:EF:7B:57:B6:36:E8:A9:3C:9B:8D:48:60:C9:6F:5F:A7

CN=AffirmTrust Networking, O=AffirmTrust, C=US

0A:81:EC:5A:92:97:77:F1:45:90:4A:F3:8D:5D:50:9F:66:B5:E2:C5:8F:CD:B5:31:05:8B:0E:17:F3:F0B4:1B

CN=AffirmTrust Premium, O=AffirmTrust, C=US

70:A7:3F:7F:37:6B:60:07:42:48:90:45:34:B1:14:82:D5:BF:0E:69:8E:CC:49:8D:F5:25:77:EB:F2:E9:3B:9A

CN=AffirmTrust Premium ECC, O=AffirmTrust, C=US

BD:71:FD:F6:DA:97:E4:CF:62:D1:64:7A:DD:25:81:B0:7D:79:AD:F8:39:7E:B4:EC:BA:9C:5E:84:88:82:14:23

You can also use the keytool utility from the JDK to print out details of the certificate chain, as follows:

keytool -v -list -alias <your_server_alias> -keystore <your_keystore_filename>

If any of the certificates in the chain are issued by one of the root CAs in the table above are listed in the output you will need to update the certificate or contact the organization that manages the server.


security-libs/java.security

Issue Description
JDK-8341057

Added SSL.com TLS Root CA Certificates Issued in 2022


The following root certificates have been added to the cacerts truststore: ``` + SSL.com + ssltlsrootecc2022 DN: CN=SSL.com TLS ECC Root CA 2022, O=SSL Corporation, C=US

  • SSL.com
  • ssltlsrootrsa2022 DN: CN=SSL.com TLS RSA Root CA 2022, O=SSL Corporation, C=US ```

FIXED ISSUES

client-libs

Priority Bug Summary
P3 JDK-8298887 On the latest macOS+XCode the Robot API may report wrong colors

client-libs/2d

Priority Bug Summary
P3 JDK-8318951 Additional negative value check in JPEG decoding
P3 JDK-8311666 Disabled tests in test/jdk/sun/java2d/marlin
P4 JDK-8337312 [8u] Windows x86 VS2010 build broken by JDK-8320097

client-libs/java.awt

Priority Bug Summary
P4 JDK-6544871 java/awt/event/KeyEvent/KeyTyped/CtrlASCII.html fails from jdk b09 on windows.

client-libs/javax.sound

Priority Bug Summary
P4 JDK-8266248 Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
P4 JDK-7188098 TEST_BUG: closed/javax/sound/midi/Synthesizer/Receiver/bug6186488.java fails

client-libs/javax.swing

Priority Bug Summary
P3 JDK-8327007 javax/swing/JSpinner/8008657/bug8008657.java fails
P4 JDK-8264328 Broken license in javax/swing/JComboBox/8072767/bug8072767.java
P4 JDK-8221903 PIT: javax/swing/RepaintManager/IconifyTest/IconifyTest.java fails on ubuntu18.04

core-libs

Priority Bug Summary
P4 JDK-8326351 Update the Zlib version in open/src/java.base/share/legal/zlib.md to 1.3.1

core-libs/java.net

Priority Bug Summary
P4 JDK-8238274 (sctp) JDK-7118373 is not fixed for SctpChannel

core-libs/java.nio

Priority Bug Summary
P4 JDK-8030795 java/nio/file/Files/probeContentType/ForceLoad.java failing with ServiceConfigurationError without jtreg -agentvm option

core-libs/java.util

Priority Bug Summary
P2 JDK-8284771 java/util/zip/CloseInflaterDeflaterTest.java failed with "AssertionError: Expected IOException to be thrown, but nothing was thrown"
P4 JDK-8335894 [8u] Fix SupplementalJapaneseEraTest.java for jdks with symlinked conf dir
P4 JDK-8299677 Formatter.format might take a long time to format an integer or floating-point

core-libs/java.util.jar

Priority Bug Summary
P4 JDK-8278794 Infinite loop in DeflaterOutputStream.finish()
P4 JDK-8193682 Infinite loop in ZipOutputStream.close()
P4 JDK-8315117 Update Zlib Data Compression Library to Version 1.3
P4 JDK-8324632 Update Zlib Data Compression Library to Version 1.3.1

core-libs/java.util:i18n

Priority Bug Summary
P3 JDK-8305400 ISO 4217 Amendment 175 Update
P3 JDK-8321480 ISO 4217 Amendment 176 Update
P3 JDK-8334653 ISO 4217 Amendment 177 Update

core-libs/javax.naming

Priority Bug Summary
P3 JDK-8196770 Add JNDI test com/sun/jndi/ldap/blits/AddTests/AddNewEntry.java
P3 JDK-8290367 Update default value and extend the scope of com.sun.jndi.ldap.object.trustSerialData system property
P4 JDK-8251188 Update LDAP tests not to use wildcard addresses

core-svc/debugger

Priority Bug Summary
P4 JDK-8030204 com/sun/jdi/JdbExprTest.sh: Required output "Can\\'t convert 2147483648 to int" not found
P4 JDK-4660158 TTY: NumberFormatException while trying to set values by 'set' command

core-svc/javax.management

Priority Bug Summary
P3 JDK-8145919 sun/management/jmxremote/bootstrap/RmiSslBootstrapTest failed with Connection failed for no credentials
P4 JDK-8335851 [8u] Test JMXStartStopTest.java fails after JDK-8334415
P4 JDK-8035395 sun/management/jmxremote/startstop/JMXStartStopTest.java fails intermittently: Port already in use

hotspot/compiler

Priority Bug Summary
P3 JDK-8313626 C2 crash due to unexpected exception control flow
P3 JDK-8021775 compiler/8009761/Test8009761.java "Failed: init recursive calls: 51. After deopt 50"
P4 JDK-8233364 Fix undefined behavior in Canonicalizer::do_ShiftOp

hotspot/gc

Priority Bug Summary
P3 JDK-8316328 Test jdk/jfr/event/oldobject/TestSanityDefault.java times out for some heap sizes

hotspot/jfr

Priority Bug Summary
P4 JDK-8305931 jdk/jfr/jcmd/TestJcmdDumpPathToGCRoots.java failed with "Expected chains but found none"
P4 JDK-8326521 JFR: CompilerPhase event test fails on windows 32 bit
P4 JDK-8326529 JFR: Test for CompilerCompile events fails due to time out

hotspot/runtime

Priority Bug Summary
P4 JDK-8309138 Fix container tests for jdks with symlinked conf dir
P4 JDK-8152207 Perform array bound checks while getting a length of bytecode instructions

hotspot/test

Priority Bug Summary
P4 JDK-8337110 [8u] TestNoEagerReclaimOfHumongousRegions.java should be in gc/g1 directory

infrastructure/build

Priority Bug Summary
P4 JDK-8333669 [8u] GHA: Dead VS2010 download link
P4 JDK-8331730 [8u] GHA: update sysroot for cross builds to Debian bullseye
P4 JDK-8315863 [GHA] Update checkout action to use v4
P4 JDK-8137329 [windows] Build broken on VS2010 after "8046148: JEP 158: Unified JVM Logging"
P4 JDK-8075511 Enable -Woverloaded-virtual C++ warning for HotSpot build
P4 JDK-8281096 Flags introduced by configure script are not passed to ADLC build
P4 JDK-8318039 GHA: Bump macOS and Xcode versions
P4 JDK-8336928 GHA: Bundle artifacts removal broken
P4 JDK-8324723 GHA: Upgrade some actions to avoid deprecated Node 16

infrastructure/licensing

Priority Bug Summary
P4 JDK-8338144 [8u] Remove duplicate license files

infrastructure/release_eng

Priority Bug Summary
P4 JDK-8333126 Bump update version of OpenJDK: 8u432

security-libs/java.security

Priority Bug Summary
P2 JDK-8341057 Add 2 SSL.com TLS roots

security-libs/javax.net.ssl

Priority Bug Summary
P2 JDK-8341059 Change Entrust TLS distrust date to November 12, 2024
P3 JDK-8279164 Disable TLS_ECDH_* cipher suites
P3 JDK-8337664 Distrust TLS server certificates issued after Oct 2024 and anchored by Entrust Root CAs

tools

Priority Bug Summary
P4 JDK-8320964 sun/tools/native2ascii/Native2AsciiTests.sh fails on Japanese